What is vulnerability management? Processes and software for prioritizing threats

Organizations handle vulnerability management in various ways, from training and best-practice implementations to filtering out all but the most dangerous threats. Here's a look at some of today's more innovative solutions.

Vulnerability management is the process of staying on top of vulnerabilities so the fixes can be more frequent and effective. Vulnerabilities in need of fixing must be prioritized based on which ones post the most immediate risk to the network. It’s handled in various ways by security companies working in the field, from training and best-practice implementations to filtering all the vulnerability noise down to just the most dangerous threats for a protected organization.

In cybersecurity, vulnerabilities are a big deal because without them, there would be very few breaches. But vulnerabilities on their own aren’t active threats, so it’s difficult for companies to figure out which to address, and in what order. This is especially true when the number of vulnerabilities climb to staggering levels — sometimes into the millions for larger networks.

Think of vulnerabilities like holes in a suit of armor. The holes might not instantly pose a problem, but probably will cause trouble eventually. Ideally, patching those holes before someone exploits one, sending an arrow through it for example, is a good idea. The problem in cybersecurity is that there are a lot of vulnerabilities.

Almost anything can become a vulnerability and thus a liability to network security. Things like unpatched operating systems, or programs and apps running old software versions are common vulnerabilities, as are siloed applications plugged into a modern network. On the more advanced side, attackers may find exploits that nobody else knows about, attacking a hole in the armor that was previously unknown. Even users can sometimes be considered vulnerabilities, especially today when many of the most targeted attacks, such as phishing, are designed to trick users into lowering the defenses for attackers.

Vulnerability management software

Kenna Security's vulnerability management platform is designed to prioritize the most dangerous vulnerabilities that could potentially harm a protected network. In a nutshell, it monitors most major threat feeds, and compares that data with assets inside a protected network.

The Kenna platform is deployed in a software as a service (SaaS) model, where users pay a yearly subscription fee to log into the secure site that collects their specific vulnerability data. The data collected by Kenna is used to improve security across the platform, so the more organizations that purchase it, the more threats it will likely encounter. Currently, Kenna tracks over two billion vulnerabilities worldwide, and the number grows daily.

Sometimes the best defense is a good offense. That was the philosophy behind the SCYTHE security company’s efforts to create the Crossbow vulnerability assessment platform. Deployed using either software as a service (SaaS) or through an on-premises installation, Crossbow is a virtual threat sandbox, allowing administrators to load up and deploy actual historical attacks like WannaCry, Goldeneye or Haxdoor, or create new threats from scratch. Once loaded or created, those attacks can be sent against a protected network to probe for any vulnerabilities.

Crossbow is perhaps one of the most dangerous defensive programs that CSO has ever reviewed. All of the attacks that it can load or create are real, using actual techniques and tactics that have historically broken through cybersecurity defenses at many organizations. Only the payload is neutered, and even then, that part is optional. This makes Crossbow one of the most realistic tools out there for accessing, testing and managing vulnerabilities. To put it in perspective, Crossbow is much more akin to a live fire exercise in the military than a simulation, because the virtual threats Crossbow fires are real.

Many vulnerability management programs will direct IT teams to the critical threat on the non-critical asset, and place one that could potentially cripple your organization thousands of places down on the priority scale. It’s not the program’s fault. It just doesn’t know context. That is one of the major problems in the vulnerability management space that the Bay Dynamics Risk Fabric program is designed to solve.

It would not be an inaccurate description to call Risk Fabric a next-generation vulnerability management tool. By adding real context to raw scan results, IT teams are given a much better picture of the true risks hiding within their networks, including the potential costs if those problems are not fixed quickly.

At its core, the CAWS Continuous Security Validation Platform from NSS Labs is a testing lab dedicated to finding and fixing threats against networks. Customers who make use of the program can elect to use one of two flavors of the product — public or private — both of which could be tremendously helpful when planning defenses and trying to manage vulnerabilities.

For SMBs and organizations with smaller networks, the public instance of CAWS can be an invaluable tool for alerting IT teams about real threats with the ability to breach their defenses. But Fortune 500 type companies, financial institutions, government organizations, and those with either large networks or networks that are high value targets for attackers may want to spring for the more expensive private service, which offers a perfect mirror of the real network that it will ultimately be protecting. Highly destructive threats can be run against the mirror network and don’t have to be neutered in any way, since they are only going to ravage the test network. Having a whipping boy to take the punishment and reveal vulnerabilities — with no risk whatsoever to the actual network — is an invaluable tool for networks with high security needs.

Latest Videos

​Email fraud is nothing new, but online criminals have become ever more-effective at spoofing their identities to trick employees into sending them money. The Australian Centre for Cyber Security (ACSC) recorded losses of over $20M to business email compromise (BEC) attacks last year alone, up 230 percent over the previous year – and the full amount is certain to be much larger.​

No matter how robust your security, or how diligent your employees, network credentials are a free pass for cybercriminals. This is mostly because employees are relied upon for their own password management. And with more than 4.8 billion sets of stolen credentials said to be available online, odds are that at least a few of your employees’ user IDs and passwords are just waiting to be used by unscrupulous outsiders. Are you ready to stop them?

Cyber resilience will be particularly important as Australian organisations face increased pressure to quickly detect, respond to, and manage the repercussions of breaches in the wake of 2018’s Notifiable Data Breaches (NDB) scheme.

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.